Manage your subscription

Europe orders Microsoft to keep Passports private

By Will Knight

Microsoft’s internet Passport scheme will be “substantially” modified, following the publication on Thursday of new European guidelines that aim to protect personal information.

Passport is intended to remove the need for internet users to enter log-on and other details into every new website they visit. This could include their name, address and credit card information. Passport collects this information and automatically provides it to accredited websites and companies that request it.

But privacy and data protection organisations have raised concern that this collected information could easily be misused. A working party of the European Union’s Data Protection Authorities has now issued a set of guidelines aimed at protecting information entered into such “single-sign-on” internet schemes, which Microsoft has accepted.

The new rules mean that Passport users who identify themselves as residing within the EU will be given advice on European data protection law and have the Passport system explained more fully. EU users will also be given options allowing them to configure the types and amount of personal data that may be passed on by Microsoft and participating websites.

Advertisement

Secure passwords

The modifications are designed to make Passport comply with the European Data Protection Directive, passed in 1995. Users will also be given advice on creating more secure passwords. Changes to the Passport system will be introduced over the next 18 months.

Frits Bolkestein, the European Commission’s Internal Market Commissioner, adds&colon; “The bottom line is that users’ data will now be better protected. Microsoft has agreed to implement a comprehensive package of data protection measures, which will mean making substantial changes to the existing dot.NET Passport system.”

A spokesman for the UK’s Data Protection Commission, which participated in the working group, told New Scientist&colon; “It’s not very transparent how [Passport] works and it’s difficult to terminate an account. These things are going to be resolved now.”

Centralised database

An alternative online identification project called the Liberty Alliance will also have to comply with the new guidelines. This scheme was developed by a number of Microsoft’s rivals including Sun Microsystems, AOL and Hewlett Packard.

It is designed to let different companies share information without the single centralised database required by Passport. It is currently in the development stage.

Concerns still remain over the security of single-sign-on systems such as Passport. Some experts say a single security breach could expose vast amounts of personal information.

Microsoft has also faced pressure in the US to ensure that personal information entered into Passport is not misused. In August 2002, the software company agreed with the US Federal Trade Commission to let an external company audit the security of the system.